Pages

Tuesday, September 13, 2016

Investment Recommendation: Claroty Series A

Today, Claroty came out of stealth, announcing a Series A financing led by Bessemer. $32 Million is is a lot for Series A, but this is an important company for our nation and our planet. To explain why, I thought I'd share this excerpt from our internal investment memo.

EXCERPT from APRIL 2016:

The Need for Industrial Security

The physical infrastructure of modern civilization runs on
machinery: traffic lights, railroad switches, nuclear reactors, water
treatment, electricity distribution, dams, ship engines, draw bridges, oil
rigs, hospitals, gas pipelines, and factories depend upon mechanical elements
such as pressure valves, turbines, motors, and pumps. These actuators (like the
ones in the original Bessemer steel smelting process) were once manually
configured, but today these machines are controlled by software running on
directly-attached, single-purpose computers known as Programmable Logic
Controllers (PLC). PLCs, in turn, are connected in aggregate to computers
running Human Management Interfaces (HMI) through closed, vendor-proprietary Supervisory
Control & Data Acquisition (SCADA) protocols like DNP3 and Profibus.
Industrial manufacturers provide the machines, the PLCs, and the HMIs, and so
Operations Technology (OT) teams typically need to use a mix of controllers and
interfaces. This is collectively known as an ICS.

During the PC revolution, many of these ICS components migrated
to cheap, standard PCs, and their SCADA connections migrated to LAN switches and
routers that leveraged the connectivity benefits of those PCs’ standard Ethernet
ports. The security implications were relatively minor until the Internet came
along; but now, if any computer in the building is connected to the Internet,
all the machines are potentially exposed. ICS security had once depended upon
an air-gap between IT and OT networks, and where absolutely necessary devices
like one-way diodes were used to send data out of the OT network to the outside
world. However, trends like remote management, cloud, IoT, and the adoption of
open standards are eroding the network segmentation and creating new attack
vectors.

The threat of ICS attacks is very different from threats
plaguing other computer networks. First, there is little valuable data to steal
from a PLC (with the theoretical exception of pharmaceuticals), and yet the
consequences of an attack are potentially catastrophic; the worst doomsday
scenarios of cyber warfare arise from compromised machinery such as gas relays,
dams, reactors, and water treatment facilities that can kill millions of people
when they malfunction. To get a taste of the kind of damage we’re talking
about, watch this video
from 2007, where members of the Idaho National Laboratory hacked some of
its own machinery.

Second, the fear of unexpected downtime also makes OT teams
less willing to experiment with new hardware and software updates. These
factors create an environment of older computers running older software that is
never patched despite the accumulation of known vulnerabilities.

Finally, OT teams will not run encryption or conventional
cybersecurity software on their computers, lest the security processes
interfere with the precise and fragile timing of their network; they would
rather be infected than incur downtime. And evidence of infections is mounting:

•The Stuxnet worm,
allegedly developed jointly by NSA and the Israeli Army’s intelligence arm
(Unit 8200), crippled the Iranian nuclear program by destroying their
centrifuges;

•Iran
crippled the operations of the most valuable company on Earth, Saudi
Aramco;

•According to BVP-funded iSIGHT Partners, the
Russia-based Sandstone Team developed the Blackworm
malware that shut down power for 700K Ukrainians;

•For two years, an Iranian group controlled
malware inside a dam in Rye, New York (near BVP’s Larchmont office).

The malware behind these attacks likely lay dormant for some
time, and there is no comprehensive way to know how much more already lurks in
critical ICS just waiting to be activated. According to the ICS-CERT,
we discover more and more infections every year in US infrastructure.So, at
a time when nation-states, terrorists, and criminal organizations are
scrambling for an advantage in cyberspace, society’s most critical
infrastructure remains exposed and undefended.

Claroty’s Origin

Although our small investment in cyber foundry Team8 is gaining market value, we originally
invested for more strategic reasons. Following our roadmap principle of
“following the attackers,” we have long known that ICS would develop into a
significant target, and hoped Team8 would provide us the best opportunity to
invest in this market. They did just this with Claroty (fka Team 82), which is
the second spin-out. Claroty is one of two dozen companies addressing cyber
attacks on ICS. While Claroty is a newer entrant in this relatively nascent space,
we believe deep the experience of its team makes it the likely winner.

Recall that retired Israeli General Nadav Zafrir had founded
Team8 to focus the world’s best nation-state cyber warriors on the biggest
challenges of cyber security. Zafrir recently commanded Unit 8200, considered
Israel’s equivalent to the US National Security Agency (NSA). But unlike the
NSA, which employs career-minded employees, Unit 8200 draws and trains the
smartest draftees from the Israeli population, who, like everyone else,
typically resign their military commission after three years. Naturally,
several of them founded cybersecurity companies like Check Point, Palo Alto
Networks, and NICE. But now Zafrir, along with the Unit’s former Head of Cyber
(Israel Grimberg) and former Chief Technology Officer (Assaf Mischari), recruit
and commercially train the top 1% of those graduates, re-purposing them in
cybersecurity startups.

A principal skill set attributed to Unit 8200 is blind protocol
analysis. If, for example, you wished to hack a Siemens centrifuge, you’d need
to deconstruct the packets sent back and forth between the HMI and the PLC, or
between the PLC and the actuator. Most protocols were cobbled together decades
ago and were rarely well documented, and in some cases the vendors themselves
treat them as holy writ. Unit 8200 is reputedly the best in the world at
quickly and accurately understanding and parsing them down to the individual
bit level. Team8 recruited the best, most experienced ICS thought leaders in
Unit 8200, led by their team leader Benny Porat (CS PhD), to staff Claroty.

When Team8 starts a new company, it marries a technical team
with an entrepreneurial founder. In the case of Claroty, Team8 recruited Amir
Zilberstein, who founded the successful Waterfall
Security and Gita Technologies. Waterfall develops ICS security products
(unrelated to Claroty’s product); Gita’s technology remains undisclosed. Team8
also recruited Galina Antova, the former head of Siemens’ Industrial Security
Services division, to run business development. Antova is a super impressive
executive - highly connected, brilliant, and fast-moving. [See Appendix: Due
Diligence for summaries of the team reference calls.] Next step is to recruit a
CMO – we hope to get Patrick McBride, who was a star at iSight.

Beyond Security

With meaningful Operations Technology (OT) experience on
the team, Claroty is taking a different approach to the market than its
competitors who generally come from cybersecurity backgrounds. Rather than lead
with the cybersecurity benefits of their product, Claroty has developed an OT
visibility platform that first and foremost surfaces operational issues. By
deconstructing the proprietary vendor protocols, Claroty has delivered the
first heterogeneous HMI with analytics that span an ICS network. Seeing as how
most OT teams today care more about downtime than infection, we believe this
approach will enjoy a far better reception in the near-term.

Do You Have Time For This?

Cool New Stuff

Fine Print

The thoughts and opinions expressed herein belong to the author and do not necessarily reflect those of Bessemer Venture Partners or any of its affiliates (“Bessemer”). The material here is written on the author’s own time for his own reasons, and Bessemer has not reviewed or approved the information herein. Any discussion of topics related to Bessemer or its investment activities should not be construed as an official comment of Bessemer.